How to Use the IBM QRadar MCP in Claude Code

Q: Can I pipe IBM QRadar offense details to other CLI tools with Claude Code?

Yes, you can fetch offense data via getoffensedetails and pipe the output to tools like jq or curl. Claude Code formats the response for easy terminal manipulation.

Q: How do I add the IBM QRadar MCP Server to Claude Code?

Run the command claude mcp add --transport http qradar -- in your terminal. Claude Code will instantly register the MCP tools and make them available for your next prompt.

Q: Can I modify active rules from the terminal?

You can list rules using getrules to inspect their conditions, but modifying the rules themselves must be done in the console. You can, however, update offense statuses using updateoffense.

Control your IBM QRadar security console directly from your terminal using Claude Code CLI.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect IBM QRadar MCP to Claude Code

Create your Vinkius account to connect IBM QRadar to Claude Code and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup IBM QRadar with Claude Code

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Terminal-Driven Incident Response

The `get_offenses` tool gives Claude Code immediate access to active security alerts directly in your shell. You can pipe this raw JSON output straight to grep, jq, or other command-line utilities. If an alert requires deeper investigation, you can fetch the full payload using `get_offense_details`. This keeps your triage process fast and keyboard-driven without opening a heavy web browser.

Fast Ariel Queries via CLI MCP Server

This MCP Server uses `execute_aql` to run database searches straight from your terminal. Claude Code starts the search, tracks it with `get_aql_status`, and prints the results when ready. You can retrieve the final event logs using `get_aql_results` and redirect them to local files. This makes it simple to run fast log analysis during an active incident.

Shell-Based Offense Management

The `update_offense` tool lets you modify alerts, close false positives, or change severity ratings from the command line. Claude Code executes the update instantly, bypassing the console UI. It cross-references the network context using `get_network_hierarchy` to ensure your changes align with defined subnets. Your terminal becomes the single control point for your entire SOC response.

Setup guide

Set up IBM QRadar MCP in Claude Code

Prerequisites

Claude Code CLI installed (npm install -g @anthropic-ai/claude-code)
Active Vinkius subscription with a valid endpoint token

1

Run the add command

Open your terminal and run the command shown on the right. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com. Use --scope user to make it available across all projects.
2

Verify the connection

Start a Claude Code session and type /mcp to list connected servers. You should see ibm-qradar-mcp with a green status indicator.
3

Start using tools

Ask Claude Code something like "Check my latest IBM QRadar transactions." It will automatically discover and invoke the available IBM QRadar tools.

Terminal

claude mcp add --transport http ibm-qradar-mcp https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp

Get your connection token →

Prerequisites

Claude Code CLI installed
Active Vinkius subscription with a valid endpoint token

1

Open the config file

Create or edit .mcp.json in your project root for project-level scope, or ~/.claude.json for user-level scope.
2

Add the IBM QRadar MCP

Paste the JSON snippet shown on the right into the mcpServers object. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com.
3

Restart Claude Code

Start a new Claude Code session. Type /mcp to confirm the server is connected. The tools will be automatically available in your conversation.

.mcp.json

{
  "mcpServers": {
    "ibm-qradar-mcp": {
      "type": "url",
      "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    }
  }
}

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by IBM QRadar. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect IBM QRadar now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about IBM QRadar MCP in Claude Code

You tell Claude Code what you need to find, and it executes `execute_aql` in the background. It polls for completion and displays the raw logs in your terminal.

Yes, you can fetch offense data via `get_offense_details` and pipe the output to tools like jq or curl. Claude Code formats the response for easy terminal manipulation.

Run the command `claude mcp add --transport http qradar -- ` in your terminal. Claude Code will instantly register the MCP tools and make them available for your next prompt.

You can list rules using `get_rules` to inspect their conditions, but modifying the rules themselves must be done in the console. You can, however, update offense statuses using `update_offense`.

The terminal client communicates with QRadar via a local loopback or direct secure endpoint. Vinkius secures this channel using sandboxed V8 isolates, ensuring your raw Ariel queries and offense payloads never leak to third-party servers.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript